New Privacy Threats for Facebook and Twitter UsersShah MahmoodDepartment of Computer Science,University College London,Uni...
Figure 1. Mapping email and phone number to real name and profilepicture in FacebookII. NEW PRIVACY LEAKS AND POSSIBLE SOLU...
Figure 3. Reconstructing friendlist on Facebook from wall postsMoreover, Facebook does not allow users to hide their mu-tu...
Figure 4. Social Plugins on a Japanese news websiteon Twitter and other social networks. Another variant of thecloning att...
limited hacks into Facebook photos [24], [25]. Felt [26]presented a cross-site scripting vulnerability in the FacebookMark...
[25] J. Bonneau, “New Facebook photo hacks,”, 2009....
Upcoming SlideShare
Loading in...5

Facebook privacy


Published on

new privacy threats on social networks

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Facebook privacy

  1. 1. New Privacy Threats for Facebook and Twitter UsersShah MahmoodDepartment of Computer Science,University College London,United KingdomEmail:—With around 1 billion active users, Facebook andTwitter are two of the most famous social networking websites.One particular aspect of these social networks widely discussedin the news and heavily researched in academic circles is theprivacy of their users. In this paper we introduce six newprivacy leaks in Facebook and Twitter. First, we reveal howan attacker can map users email addresses to their real namesusing Facebook’s account recovery service. This mapping helpsan attacker accumulate more information about the holderof an email address which could then be used to launchtargeted spam attacks. Second, we introduce how an attackercan reconstruct the friendlist of a victim on Facebook, eventhough that user’s privacy setting does not allow the attackerto explicitly view the victim’s friendlist. Third, we show theadditional privacy leaks due to the introduction of Facebook’sTimeline. Fourth, we show how the unprecedented connectivityoffered by social plugins breaches a user’s privacy. Fifth, weintroduce the social network relay attacks. Sixth, we show howan attacker can permanently withhold a victim’s Facebookaccount after the first take over. Moreover, we propose solutionsfor each of these privacy leaks.Keywords-Online Social Network, Privacy, Facebook, TwitterI. INTRODUCTIONThe use of cloud computing, and in particular onlinesocial networks, has increased explosively over the past fewyears. Over 900 million users are sharing various aspectsof their personal and professional lives on Facebook everymonth [1]. Almost 230 million users are exposing someof their spontaneous thoughts as tweets on Twitter [2],280,000 meetings of like minded people are arranged by9 million users of Meetup [3], 4 billion videos are watchedon YouTube on a daily average [4], 80 million users areflicking through pictures uploaded by 51 million registeredusers of Flickr [5], around 15 million users have shared their1.5 billion locations using Foursquare [6], over 90 millionusers can hangout on Google+ [7], and almost 150 millionusers are sharing their resume’s and being connected totheir professional contacts on LinkedIn [8]. This enormouslevel of connectivity, in addition to its positive impact,has also resulted in incidents of privacy breaches leadingto loss of employment [9], suspension from school [10],imprisonment, and embarrassment [11]. A woman in Indiana(US) was robbed by a Facebook friend after she postedon her Facebook profile that she was going out for thenight [13]. Moreover, according to a survey by Social MediaExaminer, 92% marketers use Facebook as a tool [12].These incidents’ widespread media coverage and in-depthacademic analysis has resulted in sparking a new interestin devising technological and sociological mechanisms foruser’s privacy, including the campaign of user awareness.Even President Obama has advised caution when sharingdata on social networks [14].“Be careful about what you post on Facebook,because in the YouTube age, whatever you do willbe pulled up again later somewhere in your life ...”Numerous technical solutions have been proposed to(partially) solve the users’ privacy problem in the cloudenvironment, e.g. [15], [16]. Unfortunately, the usefulnessof these proposals is limited when flaws lie in the serviceproviders’ design and users do not have any better options tochoose from. In this paper, we expose several such privacyflaws which are examples of bad system design for servicesused by nearly 50% of the total Internet users. First weshow how an attacker can map a list of email addresses totheir users’ real names (see Section II-A). Mapping emailaddresses to real names can be useful for a wide range ofattacks including launching targeted phishing attacks againstthe victim or his acquaintances [17]. Second, we show howa Facebook user’s friendlist can be reconstructed from theactivity on his profile, even if his privacy settings are setto hide the list (see Section II-B). Third, we identify theadditional privacy leaks caused after the introduction ofFacebook’s Timeline (see Section II-C). Fourth, we discusshow the seamless connectivity offered by social plugins canbreach the privacy of a user (see Section II-D). Fifth, wediscuss relay attacks in social networks (see Section II-E).These relay attacks are not limited to Facebook, e.g. canalso be launched using Twitter. Finally, we show how anattacker can withhold a user from recovering his compro-mised account (see Section II-F). With current Facebook andTwitter settings, these attacks can not be prevented. Thus, ineach section after the introduction of the attack, we proposesolutions for them. In Section III we discuss the related workand finally, in Section IV we conclude the work.2012 Seventh International Conference on P2P, Parallel, Grid, Cloud and Internet Computing978-0-7695-4841-8/12 $26.00 © 2012 IEEEDOI 10.1109/3PGCIC.2012.46164
  2. 2. Figure 1. Mapping email and phone number to real name and profilepicture in FacebookII. NEW PRIVACY LEAKS AND POSSIBLE SOLUTIONSIn this section we introduce several new privacy leaks inFacebook. The social network relay attack can also work inother social networks. Moreover, we also propose solutionsto prevent these leaks.A. Mapping email addresses to real namesEmail addresses are widely sold, in bulk, for marketingand phishing attack purposes. These marketing and phishingattempts are less effective when not personalized [17], e.g.,using “Dear Sir” is less effective than “Dear John Smith”.A design flaw in Facebook can help these marketers andphishers map email addresses to real names (Facebook’s“terms of use” legally enforce users to only use their realnames on the social network). This mapping can be done intwo ways.First, an attacker can search the corresponding real namesto the email addresses on Facebook using direct mappingthrough the use of search by email feature available onFacebook. This mapping will only work if the attacker iswithin the allowed category of people who can search theuser on Facebook, as users can limit being searched only by“Friends”, “Friends of friends”, etc. Moreover, to automatethe attack a user will have to use Facebook’s APIs, whichcould at times be very restrictive.The second method will work against any privacy settingsby a user and does not require any Facebook APIs. Here,an attacker can go to the Facebook’s recovery page1andinput an email address from the list. If the email belongsto a registered profile on Facebook, it will return a page asshown in Figure 1. This shows the real name and a thumbnailprofile picture of the user.On the other hand, if the email address does not corre-spond to a Facebook account then the attacker is directed1 2. Facebook response when an email address does not correspondto a registered accountto the page displayed in Figure 2, which clearly states thatthere is no Facebook account corresponding to that emailaddress.Attackers can use this mapping to launch other attacksagainst users. A user’s email address is their username whenlogging into Facebook. It’s revelation enables the attacker toattempt to hack into the user’s account by either attemptingto answer the user’s secret question (which once set onFacebook can not be changed) or by guessing the password.Solution: Facebook’s provision of a real name, asshown in Figure 1, to confirm the email address of a userfor account recovery is not necessary. As, users can only usetheir real names on Facebook and it is rare that a user willforget his real name, thus, instead of providing a user withthe real name and asking for confirmation, Facebook shouldask a user to provide his real name in addition to his emailaddress. This way marketers and phishers will not be ableto map emails to real names using Facebook.B. Reconstruction of a friend’s friendlistFor added privacy, Facebook users have the option torestrict who can view their friendlist, but, this does not meana friend attacker2can not reconstruct that user’s friendlist.For at least a partial reconstruction, a friend attacker canenumerate the names/ user IDs of all the users who commenton posts visible to friends only. In Figure 3, even though theuser’s friendlist is not visible to the author, we are able tofind the names of at least four friends of the victim3. Onefriend has commented on the post and the other three haveliked it. By analyzing more posts, over a longer duration oftime, an attacker can find the names and user IDs of morefriends of the victim.Similarly, when a user is tagged in a photo, we can see thename of the person who tagged the user by rolling the mouseover their name. It displays “Tagged by” and the tagger’sname. As, only a user’s friends are allowed to tag them onFacebook, this also helps in reconstructing the friendlist.2A friend attacker is an attacker who is a friend on Facebook.3The author’s friend was asked for permission and has kindly agreed touse their post in this paper.165
  3. 3. Figure 3. Reconstructing friendlist on Facebook from wall postsMoreover, Facebook does not allow users to hide their mu-tual friends. The names of mutual friends can also be addedto the being-reconstructed list of the victim’s friendlist. Thisway the attacker can reconstruct a very significant part of auser’s friendlist.Solution: If a user does not want his friendlist to bevisible to his friends, then Facebook should not display thatuser’s mutual friends. Also, when a user views the wallof a friendlist-hiding friend, the comments and likes byother friends in the friend’s view should be anonymized.For example, when the profile owner sees the comments itcould be “John Smith” commented hi, but when his friendviews it, it should be “A friend” commented hi. Similarlythe photo taggers should not be visible for such users. Thisway, it will be much harder for anyone to reconstruct thefriendlist of that user. Of course, the anonymization of othercontributing users’ names on a friend list hiding a user’sprofile will complicate the flow of conversation betweenhis multiple friends, but that is the tradeoff between betterprivacy and ease of communication. Alternatively, a specificlist of highly trusted friends could be allowed to have thenon-anonymous view of the friend comments again at thecost of leak of information to them.C. Curse of the TimelineTimeline, a new virtual space in which all the content ofFacebook users are organized and shown, was introducedon December 15, 2011 [18]. In addition to re-organizationof users’ content, Timeline comes with some default andunchangeable privacy settings. Firstly, it is no longer possi-ble for a Facebook user to hide their mutual friends, whichwas possible before Timeline. The impact of revelation ofmutual friends has been discussed in the previous section.Secondly, it is not possible to limit the public view of “coverphotos”. These cover photos could be a user’s personalpictures or political slogans and their widespread sharingmay have various short term and long term consequencesfor that user. Thirdly, with the Timeline, depending on theusers’ privacy settings, if the likes and friendlist of a userare shared with a list of users, then that list of users canalso see the month and the year when those friends wereadded or when the user liked those pages. This will allowan attacker to analyze the sentiments and opinions of a user,e.g. when did a user start liking more violent political figuresand unlike the non-violent ones. Finally, with the Timeline,if a user makes a comment on a page or a group, he doesnot have the option to disable being traced back to theprofile. Before the Timeline, a user could make themselvessearchable by a specific group (e.g. “Friends” or “Friendsof friends”, etc. ) and even if they commented on pagesand groups, people outside those allowed groups would notbe able to link back to the commenters profile. Facebookcan solve these problems by allowing users to change thesettings to share their content with their desired audience.D. Curse of social pluginsIn April, 2010, Facebook launched its social plugins tointegrate other websites into Facebook. Since, its launchover 2.5 million websites have used social plugins. Usingsocial plugins, websites can allow users to comment ontheir content using their Facebook accounts. Moreover, itenables seamless sharing of content from other websites toFacebook. Although there are a large number of marketingbenefits of social plugins, they have also created new privacyproblems for users. One of the biggest adverse effect fora user is the fact that their activity can be traced back totheir Facebook profile. Figure 4 shows an example of sucha privacy problem. The users have commented on a newsarticle published by a Japanese news paper. Here WataruIwamoto has commented on this article when Reiko Miharashared it on his Facebook profile. Wataru did not agree forhis comment to be displayed on a publicly visible website.Due to their comments’ public visibility now their opinionsregarding the topic are visible to anyone who can view thearticle on the website and they are traceable back to theirprofiles for the inquirer to find more details about them.This tracing has the potential of various short and long termconsequences for users.Again, this problem can be prevented by Facebookthrough limiting the view of the comments from publicwebsites and making the comments of users visible onlyon the user walls or fan pages where they have originallycommented. Moreover, those users who comment on publicforums using their Facebook accounts should be given withthe possibility to disconnect the link ability to their accounts.E. Social network relay attacksPrior research has shown the ease of cloning profiles onFacebook [19]. Similar methods can be used to clone profiles166
  4. 4. Figure 4. Social Plugins on a Japanese news websiteon Twitter and other social networks. Another variant of thecloning attacks can be a relay attack. In a relay attack, (1)the attacker gets access to the social network content sharedby the victim, (2) he creates a new profile with the samename as the victim, (3) he relays the victim’s messages. Toavoid detection by the victim, the attacker from the fakeprofile blocks the victim, thus, the victim will no longer beable to search the attacker on the social network. To furtherreduce the chance of detection, the attacker can block allcurrent friends/followers of the victim, thus no one in thecurrent online social circle of the victim will know about theexistence of the attacker. This attack seems innocent if theattacker only relays the exact messages by the victim to asubset of his approved audience, but, it becomes maliciouswhen the attacker starts sharing the content beyond hisapproved audience. Moreover, the attacker may selectivelyadd, delete or modify messages and share them with anyaudience. In the case of Twitter, it is easier to launch thisattack, as a user’s tweets are mostly public, but for Facebookthe attacker needs to be a friend of the victim to get accessto most messages. Thus, he may use social bots or a targetedfriend attack to become friends in the first place [20], [21]and then launch the attack. This attack can be used to achievemany goals, for example, in a political scenario, it can beused to damage the reputation of a rival or misinform hisaudience.Solution: When a user loses access to their accountas a result of forgetting the password or their accountbeing hacked, Facebook verifies a user with some acceptableFigure 5. Documents that Facebook requests for account verificationdocuments as shown in Figure 5, in order to re-grant himaccess to his account. These documents include a user’spassport and driving license. Such documents are hard for anattacker to fake because of the technical difficulties and legalpenalties. Moreover, when a user provides these documentsto prove their identity to Facebook or any other socialnetwork, it is not a breach of privacy as the act is willfullydone by the user.Similar verification can be offered by social networks toprevent relay attacks. Any user who has been verified couldbe provided with a “Verified by the service provider” forthe real name and other attributes on the profile. If theoriginal profile has a certificate of authenticity, it will beharder for relay attackers to launch the attack without raisingsuspicion. In essence, the social network will have to act asa certification authority.F. Permanent take over of a Facebook accountFacebook allows a user to recover their compromisedaccount using several verification mechanisms, but, they allfail if the attacker changes the name of the victims accountand attach a new account to the victim’s email address usedto login to Facebook. Thus, the attacker can lose the decoyaccount created with the victims email attached while havinga permanent take over of the victim’s real account.Solution: Facebook should not allow associating usedemail addresses with new accounts. This will prevent thepermanent over take attack.III. RELATED WORKRisks and threats to users’ personal data on social net-works is widely researched over the past few years. Grosset al. [22] performed one of the earliest studies to identifypotential threats including: identity theft, embarrassment andstalking, to the user of social networks. Bonneau et al. [23]showed that the public listing of eight friends in Facebookpublic search leads to revealing much more than just limitedinformation. Dhingra and Bonneau independently provided167
  5. 5. limited hacks into Facebook photos [24], [25]. Felt [26]presented a cross-site scripting vulnerability in the FacebookMarkup Language which allowed arbitrary JavaScript to beadded to the profiles of the users of an application, whichlead to session hijacking. Polakis et al. [17] showed hownames extracted from social networking sites can be used tolaunch personalized phishing attacks, which are much moresuccessful than traditional phishing. Mahmood and Desmedtpresented the deactivated friend attack, utilizing which, anattacker can have indefinite access to their victim’s personalinformation [21]. Using targeted friend requests, they wereadded as friend’s by 62% of their victims. They also pro-vided the first preliminary study of Google+’s privacy andits comparison to Facebook [27]. Boshmaf et al. [20] usedsocialbots to demonstrate the breaching of user’s privacyon Facebook using the botnet model. Socialbots have beenpreviously used by criminals and are sold online for as littleas USD 29. They created 102 socialbots to make friends with3055 Facebook users in eight weeks with a success rate of35.6%. Bilge et al. [19] showed the ease of launching anautomated identity theft attack against some popular socialnetworks by sending friend requests to friends of a clonedvictim.Chabaane et al. showed the implicit leak of informationthrough the likes and interests of users on Facebook [28].IV. CONCLUSIONIn this paper we exposed several new flaws in Facebookand Twitter. These include the possibility of an attacker map-ping email addresses to real user names, the possibility ofreconstructing a user’s friendlist even if his privacy settingsare set to hide it, and the new privacy flaws introduced withthe introduction of Facebook’s Timeline and social plugins.Moreover, introduced relay attacks in social networks andhow their use could result in privacy breaches. For anattacker with a compromised account of a user, we presenteda mechanism to permanently take it over. We also providedsolutions to each of the privacy leaks/ attacks we exposed.REFERENCES[1] “Facebook statistics,”, accessed: May 16, 2012.[2] C. Taylor, “Social networking ‘Utopia’ isn’t coming,” CNN,June 27, 2011.[3] “About Meetup,”, accessed:Feb. 20, 2012.[4] YouTube, “YouTube statistics,” statistics, accessed: May 16,2012.[5] “Flickr,”, ac-cessed: Feb. 20, 2012.[6] “Foursquare,”, accessed: Feb.20, 2012.[7] E. Barnett, “Google+ hits 90 million users,” The Telegraph,Jan. 20, 2012.[8] “Linkedin,”, accessed: Feb.20, 2012.[9] T. Monkovic, “Eagles employee fired for Facebook post,” NewYork Times, March 10, 2009.[10] J. Bonneau, J. Anderson, and G. Danezis, “Prying data outof a social network,” in ASONAM, 2009, pp. 249–254.[11] D. Barret and M. H. Saul, “Weiner now says he sent photos,”The Wall Street Journal, Jun. 7, 2011.[12] M. Stelzner, “Social media marketing industry report,”, 2011.[13] D. L. Michael Henderson, Melissa de Zwart and M. Phillips,Will u friend me? Legal Risks of Social Networking Sites.Monash University, 2011.[14] “Obama advises caution in use of Facebook,” AssociatedPress, Sep. 8, 2009.[15] S. Mahmood and Y. Desmedt, “Usable privacy by visualand interactive control of information flow,” in TwentiethInternational Security Protocols Workshop, 2012.[16] ——, “Two new economic models for privacy,” in SIGMET-RICS Performance Evaluation Review, 2012.[17] I. Polakis, G. Kontaxis, S. Antonatos, E. Gessiou, T. Petsas,and E. P. Markatos, “Using social networks to harvest emailaddresses,” in WPES, 2010, pp. 11–20.[18] “Facebook Timeline,”,accessed: May 16, 2012.[19] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda, “All yourcontacts are belong to us: automated identity theft attacks onsocial networks,” in WWW, 2009, pp. 551–560.[20] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu,“The socialbot network: when bots socialize for fame andmoney,” in ACSAC, 2011, pp. 93–102.[21] S. Mahmood and Y. Desmedt, “Your Facebook deactivatedfriend or a cloaked spy,” in PerCom Workshops, 2012, pp.367–373.[22] R. Gross, A. Acquisti, and H. J. H. III, “Information revelationand privacy in online social networks,” in WPES, 2005, pp.71–80.[23] J. Bonneau, J. Anderson, F. Stajano, and R. Anderson, “Eightfriends are enough: Social graph approximation via publiclistings,” in SNS, 2009.[24] A. Dhingra, “Where you did sleep last night? ...thank you, ialready know!” iSChannel, vol. 3, no. 1, 2008.168
  6. 6. [25] J. Bonneau, “New Facebook photo hacks,”, 2009.[26] A. Felt, “Defacing Facebook: A secu-rity case study,” 2007. [Online]. Available:[27] S. Mahmood and Y. Desmedt, “Poster: preliminary analysisof Google+’s privacy,” in ACM Conference on Computer andCommunications Security, 2011, pp. 809–812.[28] A. Chaabane, G. Acs, and M. A. Kaafar, “You are what youlike! Information leakage through users’ Interests,” in NDSS,2011.169